infra/kubernetes/cloudflare/cloudflared.yml

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cloudflared
  namespace: cloudflare

spec:
  selector:
    matchLabels:
      app: cloudflared
  replicas: 2
  template:
    metadata:
      labels:
        app: cloudflared
    spec:
      containers:
      - name: cloudflared
        image: cloudflare/cloudflared:2024.6.1
        args:
        - tunnel
        - --config
        - /etc/cloudflared/config/config.yaml
        - run
        ports:
          - containerPort: 2000
            name: metrics
        livenessProbe:
          httpGet:
            # Cloudflared has a /ready endpoint which returns 200 if and only if
            # it has an active connection to the edge.
            path: /ready
            port: 2000
          failureThreshold: 1
          initialDelaySeconds: 10
          periodSeconds: 10
        volumeMounts:
        - name: config
          mountPath: /etc/cloudflared/config
          readOnly: true
        - name: creds
          mountPath: /etc/cloudflared/creds
          readOnly: true
      volumes:
      - name: creds
        secret:
          secretName: tunnel-credentials
      - name: config
        configMap:
          name: cloudflared
          items:
          - key: config.yaml
            path: config.yaml
---
apiVersion: v1
kind: Service
metadata:
  name: cloudflared-metrics
  namespace: cloudflare

spec:
  selector:
    app: cloudflared
  ports:
  - name: metrics
    port: 2000
    targetPort: 2000
---
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
  name: cloudflared
  namespace: cloudflare
  labels:
    release: prometheus
spec:
  selector:
    matchLabels:
      app: cloudflared
  podMetricsEndpoints:
  - port: metrics
    interval: 30s
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: cloudflared
  namespace: cloudflare
data:
  config.yaml: |
    tunnel: new-homelab
    credentials-file: /etc/cloudflared/creds/credentials.json
    metrics: 0.0.0.0:2000
    no-autoupdate: true
    warp-routing:
      enabled: true
    ingress:
    - hostname: photos.gmem.ca
      service: https://homelab.gmem.ca
    - hostname: pw.gmem.ca
      service: https://homelab.gmem.ca
    - hostname: authentik.gmem.ca
      service: https://homelab.gmem.ca
    - hostname: nitter.gmem.ca
      service: https://homelab.gmem.ca
    - hostname: git.gmem.ca
      service: https://homelab.gmem.ca
    - hostname: proxmox.gmem.ca
      service: https://homelab.gmem.ca
    - hostname: tokyo.gmem.ca
      service: https://homelab.gmem.ca
    - hostname: ibiza.gmem.ca
      service: https://homelab.gmem.ca
    - hostname: chat.gmem.ca
      service: https://homelab.gmem.ca
    - hostname: paste.gmem.ca
      service: https://homelab.gmem.ca
    - hostname: e6.gmem.ca
      service: https://homelab.gmem.ca
    - hostname: minecraft-invites.gmem.ca
      service: https://homelab.gmem.ca
    - service: http_status:404